Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encryption SDK throws AwsCryptoException #68

Closed
Avik1993 opened this issue Aug 20, 2018 · 4 comments
Closed

Encryption SDK throws AwsCryptoException #68

Avik1993 opened this issue Aug 20, 2018 · 4 comments

Comments

@Avik1993
Copy link

I am trying to integrate Encryption SDK with Apache NiFi.
NiFi already includes following versions of bouncy castle dependencies:-

        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-jdk15on</artifactId>
            <version>1.59</version>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcpg-jdk15on</artifactId>
            <version>1.59</version>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcpkix-jdk15on</artifactId>
            <version>1.59</version>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-ext-jdk15on</artifactId>
            <version>1.59</version>
        </dependency>

But it throws below exception:-

2018-08-20 15:07:59,192 WARN [Timer-Driven Process Thread-5] o.a.n.controller.tasks.ConnectableTask Administratively Yielding AWSEncryptionProcessor[id=56b1bbfc-0165-1000-d94c-c242aa619d1b] due to uncaught Exception: com.amazonaws.encryptionsdk.exception.AwsCryptoException: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
com.amazonaws.encryptionsdk.exception.AwsCryptoException: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
	at com.amazonaws.encryptionsdk.DefaultCryptoMaterialsManager.getMaterialsForEncrypt(DefaultCryptoMaterialsManager.java:63)
	at com.amazonaws.encryptionsdk.AwsCrypto.encryptData(AwsCrypto.java:248)
	at com.amazonaws.encryptionsdk.AwsCrypto.encryptData(AwsCrypto.java:228)
	at org.apache.nifi.processors.aws.encryption.AWSEncryptionProcessor.onTrigger(AWSEncryptionProcessor.java:146)
	at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27)
	at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1165)
	at org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:203)
	at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:117)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
	at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC.initialize(Unknown Source)
	at com.amazonaws.encryptionsdk.internal.TrailingSignatureAlgorithm$ECDSASignatureAlgorithm.generateKey(TrailingSignatureAlgorithm.java:88)
	at com.amazonaws.encryptionsdk.DefaultCryptoMaterialsManager.generateTrailingSigKeyPair(DefaultCryptoMaterialsManager.java:151)
	at com.amazonaws.encryptionsdk.DefaultCryptoMaterialsManager.getMaterialsForEncrypt(DefaultCryptoMaterialsManager.java:54)
	... 14 common frames omitted

Any leads where things could be wrong?
@karlw00t
Copy link

We are taking a look at this. We'll have an update before Aug 28th.

bdonlan pushed a commit to bdonlan/aws-encryption-sdk-java that referenced this issue Aug 22, 2018
Use the BouncyCastleProvider class directly
c4b5942 
This avoids issues where a shaded version of BCProvider is installed in the
system JCE provider list, which can result in problems when we pass an
ECNamedCurveParameterSpec from a different shaded version of BC.

Fixes: aws#68
bdonlan pushed a commit to bdonlan/aws-encryption-sdk-java that referenced this issue Aug 22, 2018
Use the BouncyCastleProvider class directly
d57a75f 
This avoids issues where a shaded version of BCProvider is installed in the
system JCE provider list, which can result in problems when we pass an
ECNamedCurveParameterSpec from a different shaded version of BC.

Fixes: aws#68
@bdonlan
Copy link
Contributor

bdonlan commented Aug 22, 2018

This issue can occur if you have multiple versions of BouncyCastle in your classpath (e.g., if one version is shaded), and the one that is installed as the JVM-wide "BC" provider isn't the same one that is being used for the encryption SDK.

Can you please try this branch and see if it fixes your issue? https://github.com/bdonlan/aws-encryption-sdk-java/tree/bc_prov

@bdonlan
Copy link
Contributor

bdonlan commented Aug 22, 2018

Note that this can also happen if you have BC loaded via multiple classloaders as well, this might be closer to what you're seeing.

@TerrenceMiao
Copy link

I have the SAME issue ask reported. Exception thrown:

com.amazonaws.encryptionsdk.exception.AwsCryptoException: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
        at com.amazonaws.encryptionsdk.internal.EncryptionHandler.<init>(EncryptionHandler.java:114)
        at com.amazonaws.encryptionsdk.AwsCrypto.encryptData(AwsCrypto.java:185)
        at com.amazonaws.encryptionsdk.AwsCrypto.encryptString(AwsCrypto.java:211)
        at com.amazonaws.encryptionsdk.AwsCrypto.encryptString(AwsCrypto.java:223)

...

Caused by: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
        at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC.initialize(Unknown Source)
        at com.amazonaws.encryptionsdk.internal.EncryptionHandler.generateTrailingSigKeyPair(EncryptionHandler.java:367)
        at com.amazonaws.encryptionsdk.internal.EncryptionHandler.<init>(EncryptionHandler.java:105)
        ... 87 common frames omitted

Two Java apps has with same Bouncy Castle libraries deployed on Tomcat 9.0.13 on JDK 1.8.0_171.

    $TOMCAT_HOME/webapps/app1/WEB-INF/lib/bcprov-ext-jdk15on-1.55.jar
    $TOMCAT_HOME/webapps/app1/WEB-INF/lib/bcpkix-jdk15on-1.55.jar
    $TOMCAT_HOME/webapps/app1/WEB-INF/lib/bcprov-jdk15on-1.55.jar

    $TOMCAT_HOME/webapps/app2/WEB-INF/lib/bcprov-ext-jdk15on-1.55.jar
    $TOMCAT_HOME/webapps/app2/WEB-INF/lib/bcpkix-jdk15on-1.55.jar
    $TOMCAT_HOME/webapps/app2/WEB-INF/lib/bcprov-jdk15on-1.55.jar

With the fix bdonlan provided bdonlan@d57a75f, rebuild aws-encryption-sdk-java from master branch, and rerun the test, test passed, issue fixed.

When are you going to make this fix in aws-encryption-sdk-java next release?

Thanks

@TerrenceMiao TerrenceMiao mentioned this issue Nov 28, 2018
Merged
@johnwalker johnwalker mentioned this issue Nov 28, 2018
Merged
bdonlan pushed a commit that referenced this issue Nov 29, 2018
@johnwalker @bdonlan
Use the BouncyCastleProvider class directly (#84)
7db5f02 
* Use the BouncyCastleProvider class directly

This avoids issues where a shaded version of BCProvider is installed in the
system JCE provider list, which can result in problems when we pass an
ECNamedCurveParameterSpec from a different shaded version of BC.

Fixes: #68

* Add BouncyCastleConfiguration class for handling BC init

This moves the BouncyCastleProvider creation from CryptoAlgorithm to
BouncyCastleConfiguration, which also contains a static field for classes that
must use a pegged version of BouncyCastle. A newInstance reference is included
from CryptoAlgorithm to BouncyCastleConfiguration to force initialization, since
it depends on BouncyCastle being on the SecurityProvider chain.

* Add comments, and use static method to force class loading

This adds documentation for the purpose of the BouncyCastleConfiguration class,
and uses a static method call to force the BouncyCastleConfiguration class to be
loaded.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bdonlan @karlw00t @TerrenceMiao @Avik1993